Note: This question is specific to Unity3D
I have a very clean android manifest file in Unity project under Plugins/Android/ folder with no <uses-permissions/> tag at all. I believe that some permissions in final APK comes from Android Player Settings for-example READ_EXTERNAL_STORAGE. In my Gear VR project I see following lines added in final manifest which can be accessed in Temp/StagingArea/:
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-feature android:name="android.hardware.microphone" android:required="false" />
Now this is definitely coming from one of the plugins that I have in my project (I have many plugins).
My app is getting rejected from Oculus saying
Your app is asking for excessive user permissions for using user
permissions inappropriately.
I found a workaround here, but I dont want to do such a thing as this may result in app rejection once again.
So
Is there a way I can find out that where this permission is coming from?
How to find out if there is some code in my scripts which causes unity to include this permission?
Thanks
Easy Way
I think this easier approach applies if your Unity project is being built with gradle. If it isn't, here is one more reason to upgrade.
Also, a big shout-out to an article called, Hey, Where Did These Permissions Come From?)
Build Your Project
Open the file /path/to/my/project/Temp/gradleOut/build/outputs/logs/manifest-merger-release-report.txt
Profit!
Search the file for the name of your permission, and it'll show you where it came from.
Here is part of the file, where I'm looking for the WRITE_EXTERNAL_STORAGE permission.
uses-permission#android.permission.WRITE_EXTERNAL_STORAGE
ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:3-79
MERGED from [gradleOut:IronSource:unspecified] /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/IronSource/build/intermediates/bundles/default/AndroidManifest.xml:13:5-81
android:name
ADDED from /Users/clinton/Projects/<<ProjectName>>/Temp/gradleOut/src/main/AndroidManifest.xml:7:20-76
Hard Way
There are three ways permissions get added to your project.
They are specified in an Android Manifest file.
They are specified in library (a .aar file).
Unity adds the permission when you use a certain feature. (Added)
My examples use command-line tools on a Mac. I don't know Windows equivalents, but it is possible to find and run unix tools there (using the linux subsystem for windows 10, cygwin, custom binaries, etc.)
1. Find all permissions used in (uncompressed) Android Manifests.
cd /path/to/my/project/Assets
grep -r "uses-permission" --include "AndroidManifest.xml" .
This will find all files named AndroidManifest in the current folder (.) or any of its subfolders (-r tells it to search recursively) and spit out any line with the words 'uses-permission'.
In my current project, I get output something like this:
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/AndroidManifest.xml: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
./Plugins/Android/AndroidManifest.xml: <uses-permission
./Plugins/Android/IronSource/AndroidManifest.xml: <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
./Plugins/Android/IronSource/AndroidManifest.xml: <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
2. Find the permissions required in Android Libraries
Your project likely contains android libraries (.aar files) and java archives (.jar files). Some android libraries contain an android manifest and specify permissions needed to use the library. (I don't think .jar files actually do this, but .aar files absolutely do). Both .aar and .jar files are .zip files, with a different extension and with specific metadata in specific places.
Find them by running:
find . -iname "*.?ar" -print -exec zipgrep "uses-permission" "{}" "AndroidManifest.xml" ";" 2> /dev/null
Here's what this does.
It finds any file (in the current folder (.) and its subfolders) has an extension of (something) a r, thus .jar, or .aar (-name "*.?ar").
It outputs the archive's file name (-print).
It then runs zipgrep (-exec).
Zipgrep is told to search through any files in the archive ({}) named "AndroidManifest.xml", and output any line with the words "uses-permission".
We then pipe the errors to the bit bucket (2> /dev/null) so we don't see lots of errors about archives that don't have android manifests in them.
An example output looks like this:
./OneSignal/Platforms/Android/onesignal-unity.aar
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.WAKE_LOCK" />
AndroidManifest.xml: <uses-permission android:name="android.permission.VIBRATE" />
...
./Plugins/Android/android.arch.core.common-1.1.0.jar
./Plugins/Android/android.arch.core.runtime-1.1.0.aar
./Plugins/Android/android.arch.lifecycle.common-1.1.0.jar
...
./Plugins/Android/com.google.android.gms.play-services-gcm-11.8.0.aar
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-gcm-license-11.8.0.aar
./Plugins/Android/com.google.android.gms.play-services-iid-11.8.0.aar
AndroidManifest.xml: <uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />
AndroidManifest.xml: <uses-permission android:name="android.permission.INTERNET" />
./Plugins/Android/com.google.android.gms.play-services-iid-license-11.8.0.aar
...
The filenames all start with periods. I can thus see, for example, that the onesignal-unity.aar sets several permissions, several .jar files were searched with no permissions inside them, and some of the play services libraries specify permissions.
If I needed to change a library, I could rename the .aar to .zip, extract it, edit it, compress it, and rename it back. (It isn't necessarily wise to change the permissions inside a library, but possible.)
3. Unity Adds the Permission
I didn't have anything to add on this; as said above, if you use the Microphone API, Unity will add a permission for you so your app will work.
However, I've since realized that you can do the following:
bring up the Build Settings for Android
tick the 'Export Project' box
Export the project, noting the location
go to /my/project/export/src/main/AndroidManifest.xml. This is what Unity emits for the android manifest (before google's tools do all the merging).
compare it (using your favourite diff tool) to Assets/plugins/Android/AndroidManifest.xml; the differences come from Unity.
Unity will add permissions for you on the fly during build time as mentioned by eriQue of Unity Technologies this is to prevent malfunction of code, and unexpected behaviours.
You could use a tool such as this Apk-decompiler to take a look at your new manifest, and which permissions this uses. Based on that you may look for certain functions that could trigger these permissions.
Certain functions such as isGeniune will require several permissions as it will use verification against an external server.
Alternatively you can also replace your manifest in the decompiled APK, manually change out the manifest with the one intended, and resign it. This is some more grunt work, but if proper error logging is in place it might speed up the process of tracking down the problematic functions.
Update
As I mentioned in the comments below as well. There is no real way to pinpoint functions. But a quick check list can not hurt, but will require some work
Are you using any external services?
A lot of external services, think of google, twitter, facebook api's and tools require additional permissions. Usually these are storage/network related, but depending on the goals of the tool / api, it could be many more.
Try building your APK with and without the tools/apis to see if there are any differences.
Are you using unity ads?
Unity ads makes use of 3 permissions by itself, and older versions might still even make use of 5. If you are using their ads, then you will have to take these for granted.
Did you disable unity statistics?
Ever looked at those fancy stats Unity seems to be able to provide? Well, unless you disabled this, you are most likely participating in this as well.
These stats require several permissions, as the phone will be analysed on a hardware level as well as seen in the provided stats.
Are you really using all your api/tool/assets requirements?
You might have included some api's, tools or just about any dll from an external party that may or may not include code that requires dependencies. Just as often those are not 100% sanitized, and might include permission requirements not relevant to their functionality, or to the functionality that you require.
Say, some ad service might want to access a users microphone. But as you are not using their "OMG vocal response analyses" functions, this permission is not required for you.
These permissions can either be removed manually, as I earlier described in my answer. Or through some form of automation such as the post build marked editor script.
QUESTION SPECIFIC:
RECORD_AUDIO permission makes its way into android manifest file if there is a call to Microphone library in any of script in project. It doesn't matter if the script exists in scene or not. In this specific case, if Oculus Platform SDK is imported in project (which is a store requirement) there are few scripts which uses Microphone library. So if you don't use any audio recording feature e.g voice input, just remove the following files under OculusPlatform/Scripts: MicrophoneInput.cs, IMicrophone.cs, MicrophoneInputNative.cs
#mx-d is right. I just want to add another way of fixing this: in build settings you can tick the Google Android Project which will generate an Android Studio project. From there you can use Android Studio's manifest merger tool to override the permissions.
Question #1: the only way to find which library is throwing in the extra permission is to remove libraries one by one, building the project and checking the .apk manifest. Unfortunately unity is not as flexible as Android Studio production-wise.
Question #2: You can not add permissions in Unity through code (unless it's a custom editor script specifically designed for stitching up manifest files)
I found with Unity 2021 the path is now:
/Library/Bee/Android/Prj/IL2CPP/Gradle/launcher/build/outputs/logs/manifest-merger-release-report.txt
Hi I'm finding lots of posts about people having to many permissions for their android platform when they use cordova.
I'm missing the INTERNET permission. I can add this manually, but I don't want to do this every single time someone wants to compile an app (The platforms dir is on .gitignore and should not be versioned, so whenever someone takes over the project or w/e it should generate fine).
Currently the manifest adds 2 permissions:
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
It should however also add INTERNET, which works fine when I add it manually.
I tried adding
in my config.xml, also
But no cigar, I removed the android platform also to see if it was just not being built.
Recently tried using Phonegap Build, causes the same issue, also for Windows Phone. So currently I can only do iOS properly.
It magically started working, I have no clue why it didn't get added before. I did not even update the platforms or w/e.
I am having an issue in publishing my app in Google play when I include some plugins like cordova-plugin-geolocation in my app, as it adds the following 2 permissions in my manifest file
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
this causes an issue that some of the phones are not able to view the app in the google play as they tell me that android.hardware.location.network access is not compatible on those devices.
when I researched a bit more, I can see that this can be avoided by converting uses-permission to uses-feature and setting the android:required="false" then I can handle it in my code as this is not a must have feature for me.
My issue is I am unable to find how to change this in my visual studio project. can someone please help me understand whats the way to fix this?
Regards
Kiran
There is no way within VS to add contents to your Android projects manifest file. You will have to hand edit those, but beware that these changes would be over-written every time you build your project through VS. There are couple of ways you can workaround this -
You can add post_build Cordova hook that would update the Manifest file.
You can add a gulp task and hook this to MSBuild post_build event through VS.
SOak
(PM - Microsoft)
I added this plugin: https://github.com/aliokan/cordova-plugin-admob
with the command line in PhoneGap 3.3
However I decided to use a different plugin. After attempting an uninstall:
cordova plugin remove com.google.cordova.plugin.AdMobPlugin
I rebuilt the app and launched it on my device. The application compiles fine but the information I display (an RSS feed) does not display the data. Instead, my error catch displays a message. BUT, when I re-install the plugin, it works!
I have not changed any part of the config.xml file, or Android Manifest so I am lost as to why this is happening. Any help?
The plugin adds some authorisations in AndroidManifest.xml when it's added :
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
I think that your issue is that when you remove the plugin, it doesn't know if this authorisations were already there (added by an other plugin or present by default) or not and removes the lines in all cases.
I suggest you manually edit platforms/android/AndroidManifest to add the lines you need.
If you have no plugins in your project, you will at least need to add android.permission.INTERNET which is present in default cordova project and needed for any app accessing network.
If you have FILE plugin or any other plugin needing to write to sdcard, also add android.permission.WRITE_EXTERNAL_STORAGE.
I have a PhoneGap 3.2 project. I am building this project to Android using:
phonegap build android
The project Manifest.xml generated contains the RECORD_AUDIO permission. However, I do not need this permission. If I remove it, the next time I run the build command, the permission comes back. I makes my deployment cycle a hassle with many manual modifications.
How can I prevent phonegap of always adding it? Or how can I add the required info to the config.xml file to handle this issue?
If it keeps getting defined at build time, check your config.xml if you have it specified there?
<gap:plugin name="org.apache.cordova.media" />
That would cause it to get added again at build.